Here’s what the security part of LinkedIn’s privacy policy said at the time:

In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tierone secured-access data center.

However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.

Unfortunately for the plaintiffs, they failed to provide evidence of injury coming out of the breach that was "concrete and particularized," as well as "actual and imminent," US District Judge Edward J. Davila wrote in his decision (PDF).

The plaintiffs claimed to have gotten gipped after they ponied up the premium membership fee but then didn't get the industry-standard security the privacy policy promised.

The thing is, Davila responded, the plaintiffs didn't pay extra for that security, given that it was promised to both premium and basic (free) memberships alike.

Rather, what the premium account holders actually got in return for their fees were advanced networking tools and enhanced usage of LinkedIn's services, not great security.

He wrote:

The User Agreement and Privacy Policy are the same for the premium membership as they are for the nonpaying basic membership. Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members.

Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services.

The [suit] does not sufficiently demonstrate that included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.

Besides, Davila said, the plaintiffs didn't even read the privacy policy to begin with (at least, they didn't allege to have read it in the suit), so how can they claim that they forked over the money for premium memberships based on what it claimed?

As far as injury goes, while Wright claimed that her password had been posted online, it didn't result in identity theft or somebody getting into her account, the judge said, so the claim of financial harm or injury just doesn't fly.

He wrote:

Wright merely alleges that her LinkedIn password was "publicly posted on the Internet on June 6, 2012". In doing so, Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

One lesson we can take from this is, apparently, that users have to take security promises and privacy policies with a grain of salt.

Beyond that, the nuances of whether a company will be found liable for security lapses, and the whys and why-nots, intrigue me.

I initially conjectured, when the lawsuit was first filed, that LinkedIn had its work cut out for it in defending itself. I was clearly wrong.

What do you think: should LinkedIn get off the hook this easily? Should a company be held liable for not meeting industry standards for security?

Post navigation

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

Linkdin's privacy policy told them how their data would be protected.It further told them that the internet was not 100% secure & that Linkdin couldn't guarantee the full security of thei information transmitted over Linkdin.If the plaintiffs had read the privacy policy,they may not have "jumped the gun" with their lawsuit.

This isn’t a matter of LinkedIn getting off the hook easily. This is a matter of a lawsuit being brought with insufficient merit and being dismissed by a judge who evaluated the case on its merits.

Had the lawsuit been targeted at LinkedIn for not adhering to some reasonable standard of password security given its standing in the social media world, and the type of data it holds, then maybe the lawsuit would have had a different level of success.

It’s not the judge’s job to turn a poor lawsuit into a more effective or appropriate one.

The door is still open for others to bring a proper lawsuit, although I am not convinced that LinkedIn was particularly negligent in their actions, based on what details I am aware of today.

Yea, Keith, I think that's it in a nutshell. Andrew Baker's comment sums up why the lawsuit was premature and brought with insufficient merit, but you sum up my feeling, as in, like, really? Not liable for anything? LinkedIn got away with not salting, just like that? …I guess the scrambling they had to do after the breach was its own form of punishment, of course, added to badly tarnished reputation and media attention of the most uncomfortable kind. But we'll see what happens… could be more lawsuits, indeed, as Andrew Baker points out…

LinkedIn certainly acted irresponsibly by not protecting passwords sufficiently. However ,I don't see how $5 Million dollars worth have damage could have been caused by the poorly protected passwords. As you know, here in the US, suing is our national pastime not baseball. The suit is clearly an act of revenge and/or to cash in on an unfortunate incident.

"you sum up my feeling, as in, like, really? Not liable for anything?"

Exactly right, not liable for anything. Lisa, you are overlooking one of the most basic points of law: in order to sue for damages, you need to actually have damages! Unless/until the victims have been harmed (e.g., monetary loss through identity theft), and can prove it, they won't win in court.